Some existing tools provide a mechanism to retrieve findings from software security testing tools. When they attempt to combine findings into a single view, the existing tools tend to either simply aggregate data without de-duplication or ineffectually de-duplicate findings. The existing tools are intolerant to small changes or differences of findings generated by different software security testing tools or scan-over-scan findings generated by the same software security testing tool, result in ineffectual de-duplication. When the existing tools combine findings, partial matches among findings are particularly problematic and often result in incorrect or incomplete combination of findings.
Further, when static code analysis is done to find security vulnerabilities using multiple static application security testing (SAST) tools from different vendors, results each come back in a format specific to the vendor, creating more hardship to perform de-duplication of findings.
In view of the foregoing, a need exists for a de-duplication solution that is able to consume findings of multiple static application security testing tools in a single, de-duplicated format, normalized to a standardized taxonomy, so that developers and security personnel can focus on individual problems in a simpler-to-consume format.